Disable Network File System (nfs)

An XCCDF Rule

Description

The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local system. If the local system is not designated as a NFS server then this service should be disabled. The nfs-server service can be disabled with the following command:

$ sudo systemctl mask --now nfs-server.service

Rationale

Unnecessary services should be disabled to decrease the attack surface of the system.

ID: xccdf_org.ssgproject.content_rule_service_nfs_disabled
Severity: Unknown
References: 11 12 14 15 16 18 3 5

DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.03 DSS06.06

4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4

SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7

A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5

CM-6(a) CM-7(a) CM-7(b)

PR.AC-4 PR.AC-6 PR.PT-3

2.2.7

CCE-91364-0
Updated: about 1 month ago

Remediation Templates

include disable_nfs-server
class disable_nfs-server {
  service {'nfs-server':
    enable => false,
    ensure => 'stopped',
  }
}

[customizations.services]
masked = ["nfs-server"]

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-91364-0
  - NIST-800-53-CM-6(a)  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_nfs_disabled
  - unknown_severity
- name: Disable Network File System (nfs) - Collect systemd Services Present in the
    System
  ansible.builtin.command: systemctl -q list-unit-files --type service
  register: service_exists
  changed_when: false
  failed_when: service_exists.rc not in [0, 1]
  check_mode: false
  when: '"kernel-default" in ansible_facts.packages'
  tags:
  - CCE-91364-0
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_nfs_disabled
  - unknown_severity

- name: Disable Network File System (nfs) - Ensure nfs-server.service is Masked
  ansible.builtin.systemd:
    name: nfs-server.service
    state: stopped
    enabled: false
    masked: true
  when:
  - '"kernel-default" in ansible_facts.packages'
  - service_exists.stdout_lines is search("nfs-server.service", multiline=True)
  tags:
  - CCE-91364-0
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_nfs_disabled
  - unknown_severity

- name: Unit Socket Exists - nfs-server.socket
  ansible.builtin.command: systemctl -q list-unit-files nfs-server.socket
  register: socket_file_exists
  changed_when: false
  failed_when: socket_file_exists.rc not in [0, 1]
  check_mode: false
  when: '"kernel-default" in ansible_facts.packages'
  tags:
  - CCE-91364-0
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_nfs_disabled
  - unknown_severity

- name: Disable Network File System (nfs) - Disable Socket nfs-server
  ansible.builtin.systemd:
    name: nfs-server.socket
    enabled: false
    state: stopped
    masked: true
  when:
  - '"kernel-default" in ansible_facts.packages'
  - socket_file_exists.stdout_lines is search("nfs-server.socket", multiline=True)
  tags:
  - CCE-91364-0
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_nfs_disabled
  - unknown_severity

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'nfs-server.service'
"$SYSTEMCTL_EXEC" disable 'nfs-server.service'
"$SYSTEMCTL_EXEC" mask 'nfs-server.service'# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files nfs-server.socket; then
    "$SYSTEMCTL_EXEC" stop 'nfs-server.socket'
    "$SYSTEMCTL_EXEC" mask 'nfs-server.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'nfs-server.service' || true

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable Network File System (nfs)

Description

Rationale

Remediation Templates

A Puppet Snippet

OS Build Blueprint

An Ansible Snippet

A Shell Script